The following existing technologies that have been used to make the Internet services secured are related with this invention.
DNSSEC (Domain Name System Security Extensions) is used to securely store domain names, IP addresses and other parameters in the global system of DNS servers ([DNSSEC]). And by using a hierarchical trust model, DNSSEC provides assurance that the DNS records can be transmitted securely from the server to a requesting host. It protects the integrity of DNS records, that is, these records cannot be modified by an eavesdropper when they are being transmitted through the network.
IPsec (Internet Protocol Security) is a security mechanism for securing IP layer connections in the current Internet ([IPsec]). IPsec protects the integrity of both the IP header and payload in data packets, i.e. the receiver of the packets can verify that these packets have not been modified by an eavesdropper.
However, IPsec is not properly applicable to the ID/locator split-based new generation network because this network requires changing IP headers as packets traverse the different parts of the heterogeneous network that can use different types of network layer protocols.
JP Patent Publication 2008-312191 A specifies the basic conceptual architecture of the ID/locator split-based new generation network architecture. It describes the functions of different components, such as the gateway, host (or node) and name servers, and their interactions.
JP Patent Publication 2008-312191 A describes the method to form node names or hostnames and IDs, the protocol stack of ID/locator split network architecture, the ID/locator split-based communication initialization process, and ID/locator split supporting hierarchical network structure.
To eliminate the problems caused by the overloaded semantics of IP addresses as both host IDs and locators, various approaches of introducing the ID/locator split concept into network architectures have recently been discussed. ID/locator split architectures use distinct sets of values for host IDs and locators, whose mappings are stored in some mapping servers. Locator/ID Separation Protocol (LISP) [LISP] is introducing ID/locator split in the edge routers to reduce BGP routing table growth rates and route update frequencies in the backbone networks. Host Identity Protocol (HIP) [HIP] applies ID/locator split in the host protocol stack to make the session establishment and mobility functions secured. Similarly, Shim6 [Shim6] applies ID/locator split to enable hosts to support multihoming. While each of the above protocols tries to address a specific issue (viz. routing scalability, secured mobility, and multihoming) of the current Internet, HIMALIS (Heterogeneity Inclusion and Mobility Adaptation through Locator ID Separation) [HIMALIS] proposes a generic architecture, based on the ID/locator split concept, that can better support mobility, multihoming, scalable routing and heterogeneous protocols in the network layer. These proposals require retrieving ID/locator mapping data to find corresponding locators for the given names or IDs when forwarding packets into the network. They need to update the mapping data when hosts change their locators (due to mobility) or add new locators (due to multi homing). The Domain Name System (DNS) is not suitable for the fast updates of this type of dynamic mapping data because of the existence of multiple copies of cached data in the global system of DNS servers [DNS2].
Therefore, besides DNS servers, additional servers are needed for storing the ID/locator mapping data of dynamic hosts. For this purpose, ALT [ALT] for LISP, rendezvous servers for HIP, and hostname registries for HIMALIS, for instance, have been proposed in the literature. These proposals, however, lack inbuilt security functions for collectively protecting the update and retrieval procedures. This patent application specifies a method to make the system secured.
Although HIP uses certificates and public keys to establish secure sessions between hosts, it does not cover the security of ID/locator mapping update, retrieval and network access process. DNS security [DNSSEC] uses certificates and public keys to securely distribute and retrieve domain records, but it is not favorable for frequent updates of the records.